Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO
After suffering a huge data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take immediate and particular actions over the next 4 weeks to additionally improve the security of their data and systems. For this large organization it was a bold action, however the lessons gained from software development proved that acting quick or sprinting can make a lot of headway when approaching a problem in a small amount of time. For big organizations this can be particularly true and the OMB is definitely big.
There were 8 concepts that were concentrated on. We have actually broken these down and supplied insight on how each concept could be more effective in the timeframe to help the government make significant inroads in just a month. As you would expect we are looking at things from the endpoint, and by reading the 8 principles you will find how endpoint visibility would have been essential to a successful sprint.
1. Protecting data: Better protect data at rest and in transit.
This is a good start, and appropriately priority one, however we would definitely encourage OMB to include the endpoint here. Numerous data protection systems forget the endpoint, but it is where data can be most susceptible whether at rest or in transit. The team must check to see if they have the capability to evaluate endpoint software and hardware setup, including the presence of any data defense and system defense agents, not forgetting Microsoft BitLocker setup checking. And that is simply the start; compliance checking of mandated agents must not be forgotten and it must be performed constantly, enabling the audit reporting of percentage coverage for each agent.
2. Improving situational awareness: Enhance indication and warning.
Situational awareness is similar to visibility; can you see what is actually happening and where and why? And naturally this needs to remain in real time. While the sprint is occurring it should be verified that identity and tracking of logged-in users,, user focus activities, user presence indications, active processes, network contacts with process-level attribution, system stress levels, notable log events and a myriad of other activity indicators throughout many thousands of endpoints hosting large oceans of processes is possible. THIS is situational awareness for both warning and indication.
3. Increasing cyber security proficiency: Make sure a robust capability to recruit and retain cyber security personnel.
This is an obstacle for any security program. Discovering fantastic talent is hard and keeping it a lot more so. When you want to attract this sort of skillset then persuade them by providing the current tools for cyber battle. Ensure that they have a system that offers total visibility of exactly what is happening at the endpoint and the whole environment. As part of the sprint the OMB need to analyse the tools that are in place and check whether each tool changes the security team from the hunted to the hunter. If not then replace that tool.
4. Increase awareness: Enhance overall threat awareness by all users.
Risk awareness starts with effective risk scoring, and thankfully this is something that can be attained dynamically all the way to the endpoint and help with the education of every user. The education of users is a difficulty that is never ever finished, as proven by the high success of social engineering attacks. But when security teams have endpoint threat scoring they have concrete products to show to users to show where and how they are vulnerable. This reality situational awareness (see # 2) improves user knowledge, in addition to offering the security group with precise details on say, known software vulnerabilities, cases of jeopardized credentials and insider enemies, as well as continually keeping track of system, user, and application activity and network points of contact, in order to use security analytics to highlight elevated risks resulting in security personnel triage.
5. Standardizing and automating procedures: Decrease time needed to manage configurations and patch vulnerabilities.
More protection needs to be demanded from security solutions, and that they are instantly deployable without tedious preparation, infrastructure standup or comprehensive staff training. Did the services in place take longer than a couple of days to implement and require another full-time employee (FTE) or perhaps 1/2 a FTE? If so you need to rethink those solutions since they are probably hard to use (see # 3) and aren’t getting the job done that you need so you will need to enhance the present tools. Likewise, look for endpoint services that not only report software and hardware setups and active services and processes, however applies the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates a total vulnerability score for each endpoint to facilitate patching prioritization by over worked support staff.
6. Controlling, containing and recovering from occurrences: Contain malware expansion, privilege escalation, and lateral motion. Rapidly recognize and resolve events and occurrences.
The fast identification and response to problems is the main objective in the new world of cyber security. During their Thirty Days sprint, OMB must examine their solutions and be sure to find innovations that can not only monitor the endpoint, however track every process that runs and all of its network contacts consisting of user login attempts, to facilitate tracking of harmful software proliferation and lateral network movement. The data originated from endpoint command and control (C2) accesses related to significant data breaches suggests that about half of jeopardized endpoints do not host recognizable malware, heightening the importance of login and contact activity. Proper endpoint security will monitor OMB data for long term analysis, because many indicators of compromise become available just after the event, or perhaps long afterwards, while consistent hackers may silently lurk or remain inactive for extended periods of time. Attack code that can be sandbox detonated and recognized within minutes is not a sign of sophisticated hackers. This ability to keep clues and connect the dots across both spatial and temporal dimensions is important to complete recognition and total non-recidivist resolution.
7. Reinforcing systems lifecycle security: Increase inherent security of platforms by buying more safe and secure systems and retiring legacy systems in a prompt manner.
This is a credible goal to have, and a massive difficulty at a big organization such as OMB. This is another place where appropriate endpoint visibility can instantly measure and report endpoint software and hardware setups, operating system SKUs and patch levels, system stress levels, endpoint incidents (such as application crashes or hangs, service failures, or system crashes), and other indicators of endpoints outlasting their helpful or safe and secure service lives. Now you have a full stock list that you can focus on for retirement and replacement.
8. Decreasing attack surfaces: Reduce the intricacy and amount of things defenders need to safeguard.
If numbers 1 through 7 are implemented, and the endpoint is considered appropriately, this will be a big step in minimizing the attack threat. However, in addition, endpoint security can likewise really provide a visual of the actual attack surface. Consider the capability to measure attack surface area, based upon a variety of distinct binary images exposed across the whole endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image frequency statistics produces a typical “ski slope” distribution, with a long slim distribution tail indicating huge numbers of really unusual binary images (present on fewer than 0.1% of overall endpoints). Ziften recognizes attack surface area bloat aspects, including application sprawl and version expansion (which also worsens vulnerability lifecycle management). Data from many consumer deployments exposes outright bloat factors of 5-10X, compared with a securely handled and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas produces a target-rich hackers’ paradise.
The OMB sprint is a terrific pointer to us all that good things can be achieved rapidly, however that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a vital piece for OMB to think about as part of their 30-day sprint.